From 321d59836bdfa825655066bd32dd692b2765b792 Mon Sep 17 00:00:00 2001 From: Jan Vales Date: Fri, 6 Jun 2014 23:17:55 +0200 Subject: [PATCH] more malware --- report3/content.tex | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/report3/content.tex b/report3/content.tex index 48a4396..f5fdb55 100644 --- a/report3/content.tex +++ b/report3/content.tex @@ -83,12 +83,23 @@ Offset(P) PID Port Proto Protocol Address Create Time \subsection{Can you find traces of Malware?} -emph{\textbf{rundll32.exe}} could hint that the system has been compromised. +emph{\textbf{rundll32.exe}} could hint that the system has been compromised.\\ Extracting screenshots with \ttfamily{volatility -f image1.vmem --profile=WinXPSP2x86 screenshot --dump-dir screenshots} brings an image named \emph{\textbf{IMAGE1:/screenshots/session\_0.WinSta0.Default.png}} containing an outline with a Message where DEP is closing Acrobat with an open file named \emph{\textbf{navy procurement.pdf}}.\\ -This could hint at a compromised PDF. +This could hint at a compromised PDF.\\ +The TCP-LISTEN on port 1031 seems to be used by malware as described by \url{http://de.adminsub.net/tcp-udp-port-finder/1031} or \url{http://www.auditmypc.com/tcp-port-1031.asp}.\\ +\ttfamily{volatility -f image1.vmem --profile=WinXPSP2x86 ldrmodules} +\begin{lstlisting} +Pid Process Base InLoad InInit InMem MappedPath +---- -------------------- ---------- ------ ------ ----- ---------- +3976 Netlogon.exe 0x00400000 True False True \Documents and Settings\ + Administrator\Local Settings\Netlogon.exe +\end{lstlisting} +contains a suspicious line: a Netlogon.exe instance which resides in:\\ +\emph{\textbf{\textbackslash{}Documents and Settings\textbackslash{}Administrator\textbackslash{}Local Settings\textbackslash{}Netlogon.exe}}\\ +This looks very suspicious. \newpage\section{Questions image2.vmem (5 points)} -- 2.43.0